From 7b5e2ff9e0776120d2440983b2b82499304f59f9 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 19 Dec 2023 17:37:55 +0100 Subject: [PATCH] [wip] novncproxy tls --- controllers/novanovncproxy_controller.go | 5 ++++- templates/nova.conf | 15 ++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/controllers/novanovncproxy_controller.go b/controllers/novanovncproxy_controller.go index 10953831d..b94c3cea8 100644 --- a/controllers/novanovncproxy_controller.go +++ b/controllers/novanovncproxy_controller.go @@ -348,11 +348,14 @@ func (r *NovaNoVNCProxyReconciler) generateConfigs( "cell_db_address": instance.Spec.CellDatabaseHostname, "cell_db_port": 3306, "transport_url": string(secret.Data[TransportURLSelector]), - "openstack_cacert": "", // fixme "openstack_region_name": "regionOne", // fixme "default_project_domain": "Default", // fixme "default_user_domain": "Default", // fixme } + if instance.Spec.TLS.GenericService.Enabled() { + templateParameters["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", novncproxy.ServiceName) + templateParameters["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", novncproxy.ServiceName) + } extraData := map[string]string{} if instance.Spec.CustomServiceConfig != "" { extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig diff --git a/templates/nova.conf b/templates/nova.conf index 8e6cf1335..5698d1666 100644 --- a/templates/nova.conf +++ b/templates/nova.conf @@ -42,6 +42,14 @@ metadata_workers=1 enabled_apis=metadata {{end}} +{{if eq .service_name "nova-novncproxy"}} +{{ if (index . "SSLCertificateFile") }} +ssl_only=true +cert={{.SSLCertificateFile}} +key={{.SSLCertificateKeyFile}} +{{end}} +{{end}} + [oslo_concurrency] lock_path = /var/lib/nova/tmp @@ -211,7 +219,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} # This is part of hardening related to CVE-2023-2088 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required @@ -226,7 +233,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} valid_interfaces = internal @@ -238,7 +244,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} valid_interfaces = internal {{if (index . "debug") }}debug=true{{end}} @@ -251,7 +256,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} valid_interfaces = internal {{if eq .service_name "nova-metadata"}} @@ -267,7 +271,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} catalog_info = volumev3:cinderv3:internalURL @@ -279,7 +282,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} region_name = {{ .openstack_region_name }} barbican_endpoint_type = internal @@ -292,7 +294,6 @@ user_domain_name = {{ .default_user_domain}} project_name = service username = {{ .nova_keystone_user }} password = {{ .nova_keystone_password }} -cafile = {{ .openstack_cacert }} {{ if (index . "compute_driver") }} {{if eq .compute_driver "ironic.IronicDriver"}}